You would search by the whenChanged
attribute. Something like this:
(&(whenChanged>=20180425150000.0-0400)(objectClass=user)(objectCategory=person))
The format is pretty straight forward:
{year}{month}{date}{hour}{minute}{seconds}.{milliseconds}-{timezone}
For example, in my example above I used today's date at 3:00pm eastern.
There are a couple caveats to keep in mind:
- The
whenChanged
attribute is not exactly the same on every domain controller, but they will be close (within a half hour). The reason is because of replication - the time is set to the time each DC received the change.
- When a user logs in, the
lastLogon
time is updated, and that triggers the whenChanged
attribute to be updated. So just because whenChanged
changes, it doesn't mean someone modified the account. This also means that this search will return more accounts than you may expect.